Why Did Congress Let Law Enforcement Officials Lie About Encryption?

from the you-can't-be-serious dept

When you testify before Congress, it helps to actually have some knowledge of what you're talking about. On Tuesday, the House Energy & Commerce Committee held the latest congressional hearing on the whole silly encryption fight, entitled Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives. And, indeed, they did have witnesses presenting "industry" and "law enforcement" views, but for unclear reasons decided to separate them. First up were three "law enforcement" panelists, who were free to say whatever the hell they wanted with no one pointing out that they were spewing pure bullshit. You can watch the whole thing below (while it says it's 4 hours, it doesn't actually start until about 45 minutes in):

Lots of craziness was stated -- starting with the idea pushed by both chief of intelligence for the NYPD, Thomas Galati and the commander of the office of intelligence for the Indiana State Police, Charles Cohen -- that the way to deal with non-US or open source encryption was just to ban it from app stores. This is a real suggestion that was just made before Congress by two (?!?) separate law enforcement officials. Rep. Morgan Griffith rightly pointed out that so many encryption products couldn't possibly be regulated by US law, and asked the panelists what to do about it. You can watch the exchange here:

You see Cohen ridiculously claim that since Apple and Google are gatekeepers to apps, that the government could just ban foreign encryption apps from being in the app stores:

Right now Google and Apple act as the gatekeepers for most of those encrypted apps, meaning if the app is not available on the App Store for an iOS device, if the app is not available on Google Play for an Android device, a customer of the United States cannot install it. So while some of the encrypted apps, like Telegram, are based outside the United States, US companies act as gatekeepers as to whether those apps are accessible here in the United States to be used.

This is just wrong. It's ignorant and clueless and for a law enforcement official -- let alone one who is apparently the "commander of the office of intelligence" -- to not know that this is wrong is just astounding. Yes, on Apple phones it's more difficult to get apps onto a phone, but it's not impossible. On Android, however, it's easy. There are tons of alternative app stores, and part of the promise of the Android ecosystem is that you're not locked into Google's own app store. And, really, is Cohen literally saying that Apple and Google should be told they cannot allow Telegram -- one of the most popular apps in the world -- in their app stores? Really?

Galati then agreed with him and piled on with more ignorance:

I agree with what the Captain said. Certain apps are not available on all devices. So if the companies that are outside the United States can't comply with same rules and regulations of the ones that are in the United States, then they shouldn't be available on the app stores. For example, you can't get every app on a Blackberry that you can on an Android or a Google.

Leaving aside the fact he said "Android or a Google" (and just assuming he meant iPhone for one of those)... what?!? The reason you can't get every app on a BlackBerry that's on other devices has nothing to do with any of this at all. It's because the market for BlackBerry devices is tiny, so developers don't develop for the BlackBerry ecosystem (and, of course, some BlackBerries now use Android anyway, so...). That comment by Galati makes no sense at all. Using the fact that fewer developers develop for BlackBerry says nothing about blocking foreign encryption apps from Android or iOS ecosystems. It makes no sense.

Why are these people testifying before Congress when they don't appear to know what they're talking about?

Later in the hearing, when questioned by Rep. Paul Tonko about how other countries (especially authoritarian regimes) might view a US law demanding backdoors as an opportunity to demand the same levels of access, Cohen speculated ridiculously, wildly and falsely that he'd heard that Apple gave China its source code:

Here's what Cohen says:

In preparing for the testimony, I saw several news stories that said that Apple provided the source code for iOS to China, as an example. I don't know whether those stories are true or not.

Yeah, because they're not. He then goes on to say that Apple has never said under oath whether or not that's true -- except, just a little while later, on the second panel, Apple's General Counsel Bruce Sewell made it quite clear that they have never given China its source code. Either way, Cohen follows it up by saying that Apple won't give US law enforcement its source code, as if to imply that Apple is somehow more willing to help the Chinese government hack into phones than the US government. Again, this is just blatant false propaganda. And yet here is someone testifying before Congress and claiming that it might be true.

Thankfully, at the end of the hearing, Rep. Anna Eshoo -- who isn't even a member of the subcommittee holding the hearing (though she is a top member of the larger committee) joined in and quizzed Cohen about his bizarre claims:

She notes that it's a huge allegation to make without any factual evidence, and asks if he has anything to go on beyond just general "news reports." Not surprisingly, he does not.

Elsewhere in the hearing, Cohen also insists that a dual key solution would work. He says this with 100% confidence -- that if Apple and law enforcement had a shared key it would be "just like a safety deposit box." Of course, this is also just wrong. As has been shown for decades, when you set up a two key solution, you're introducing vulnerabilities into the system that almost certainly let in others as well.

And then, after that, Rep. Jerry McNerney raises the point -- highlighted by many others in the past -- that rather than "going dark," law enforcement is in the golden age of surveillance and investigation thanks to more and new information, including that provided by mobile phones (such as location data, metadata on contacts and more). Cohen, somewhat astoundingly, claims he can't think of any new information that's now available thanks to mobile phones:

Here's Cohen:

Sir, I'm having problems thinking of an example of information that's available now that was not before. From my perspective, thinking through investigations that we previously had information for, when you combine the encryption issue along with shorter and shorter retention periods, in a service provider, meaning they're keeping their records, for both data and metadata, for a shorter period of time, available to legal process. I'm having difficulty finding an example of an avenue that was not available before.

Huh?!? He can't think of things like location info from mobile phones? He can't think of things like metadata and data around unencrypted texts? He can't think of things like unencrypted and available information from apps? Then why is he on this panel? And the issue of data retention? Was he just told before the hearing to make a point to push for mandatory data retention and decided to throw in a nod to it here?

At least Galati, who went after him, was willing to admit that tech has provided a lot more information than in the past -- but then claimed that encryption was "eliminating those gains."

Cohen is really the clown at the show here. He also claims that Apple somehow decided to throw away its key and that it was "solving a problem that doesn't exist" in adding encryption:

There he's being asked by Rep. Yvette Clarke if he sees any technical solutions to the encryption issue, and he says:

The solution that we had in place previously, in which Apple did hold a key. And as Chief Galati mentioned, that was never compromised. So they could comply with a proper service of legal process. Essentially, what happened is that Apple solved a problem that does not exist.

Again, this is astoundingly ignorant. The problem before was that there was no key. It wasn't that Apple had the key, it's that the data was readily available to anyone who had access to the phone. That put everyone's information at risk. It's why there was so much concern about stolen phones and why stolen phones were so valuable. For a law enforcement official to not realize that and not think it was a real problem is... astounding. And, again, raises the question of why this guy is testifying before Congress.

It also raises the question of why Congress put him on a panel with no experts around to correct his many, many errors. At the very least, towards the beginning of the second panel, Apple GC Sewell explained how Cohen was just flat out wrong on these points:

If you can't see that, after his prepared remarks, Sewell directly addresses Cohen's claims:

That's where I was going to conclude my comments. But I think I owe it to this committee to add one additional thought. And I want to be very clear on this: We have not provided source code to the Chinese government. We did not have a key 19 months ago that we threw away. We have not announced that we are going to apply passcode encryption to the next generation iCloud. I just want to be very clear on that because we heard three allegations. Those allegations have no merit.

A few minutes later, he's asked directly about this and whether or not the Chinese had asked for the source code, and Sewell says that, yes, the Chinese have asked, and Apple has refused to give it to them:

Seems like they could have killed 3 hours of ignorant arguments presented to Congress, if they had just not allowed such ignorance to be spewed earlier on.

Reader Comments

Crystal clear actually

And, indeed, they did have witnesses presenting "industry" and "law enforcement" views, but for unclear reasons decided to separate them.

They had the two groups separated, with the people who actually knew what they were talking about going second so that the 'law enforcement' side could make up any claims they wanted with minimal ability for the tech side to point out how they were wrong.

It's one thing to be able to offer corrections on the spot, right after an incorrect statement has been made, much more difficult to remember all the wrong claims that were made and address them later on when it's your turn.

Re: Crystal clear actually

They had the two groups separated, with the people who actually knew what they were talking about going second so that the 'law enforcement' side could make up any claims they wanted with minimal ability for the tech side to point out how they were wrong.

Their oversight was in having the bullshit go first. If they had done it the other way around, the industry people wouldn't have had any opportunity to correct the lies (errors?).

During our national conversation a simple solution proposed!

I got this. Fixed it with one simple proposal.

Outlaw all mobile phones other than Blackberry in the US.

Since Canada was/is able to access both (all two or three that were recently sent)"encrypted" messages sent on Blackberry devices, just mandate that the use of a non-Blackberry mobile device in the US or while communicating with a US person is now a capital crime.

When We outlaw the Sale, Importation, Transfer, and Possession of non-Blackberry mobile communication device in the US or by US persons world-wide, including the moon or anywhere else in Sol orbit the "encryption" problem will be solved, 'cause Canada will be able to access all of the messages, calls, texts, emails, photos (and we all know those are mostly 2AM dick-pics anyway), and forward them directly to the appropriate government agency, likely at least a trio of: NSA, FBI, & NYPD, we'll all be safer.

Re: Re: During our national conversation a simple solution proposed!

What makes you think smart-TVs don't already watch you then wait until they've been on sleep/standby for a few hours then pump out their connection info direct to the NSA? (Complete with timelapse snapshots for those with cameras).

It's already been proven that they listen, both Samsung and LG. It wouldn't be too much of a stretch to assume that technology exists at least for the NSA. They can do it with cell phones (Androids) and these SmartTV's run linux too. The simple answer is DO NOT allow your TV to connect to the internet under any circumstances. Use another device like a Chromecast, Firestick, or whatever to do your streaming. While it is true the Chromecast and Firestick probably send back tons of metadata about what you're watching and when, neither device has a camera or a microphone available in the userspace.

You know hoe you can tell this Cohen guy is an un-educated Douche-Nozzle?

'cause when he says ..."that a dual key solution would work. He says this with 100% confidence -- that if Apple and law enforcement had a shared key it would be "just like a safety deposit box."

Because it is a SAFE DEPOSIT BOX!

It is a little box, in a SAFE, a bank vault more specifically, that can be opened by a high school dropout, that has completed a correspondence course in "locksmithing" with a crappy battery powered drill motor, and a court order.

The only "safety" involved in the whole thing is the goggles the guy with the drill motor is hopefully wearing when he opens your box.

It makes sense

They invited the law enforcement 'experts'. They knew that they would be presented with a load of pure hogwash.They separated the two groups to prevent the obvious embarrassment of the committee if the 'experts' were called out for their stupidity immediately.

Re: A question that answers itself

And the fact that Galati AND Cohen both asked Google and Apple for money for them to 'leave quietly' is just a co-incidence as they give fake evidence designed to damage both companies that (rightfully) refused to enter into discussions about paying both these men bribes for their silence....

Galati and Cohen are able to get away with their incredible streaming bullshit because the politicians are so ignorant of the reality of the situation, they cannot distinguish the bullshit from peanut butter.

Disappointment

Overall, my immediate feeling afterwards was one of deep disappointment. Then, not too much later, I went to bed.

This morning, after sleeping on it, I wish I had something more profound to say. It really wasn't a great hearing. But so it goes, I guess… What do you really expect from a Congressional hearing?

One thing that stood out for me, was the question put to all the witnesses as to whether law enforcement and the tech industry had fallen into an adversarial relationship on this issue. Whether it had become an ‘us versus them’ situation. All of the witnesses, on both the law enforcement panel, and on the technology panel, answered that no, there wasn't an adversarial relationship. It was kind of a yes or no question, as put to them, and the basic answer was just “no” from everyone.

I think I personally would have answered that question differently. Cut down to just a yes or no type response, I think I probably would have answered “yes”.

Someone like Lavabit's Ladar Levinson probably would have answered that question with a “yes” as well, I think. Of course, he can indeed answer for himself. Maybe someone should actually ask him about whether he feels there's an adversarial relationship on the issue. Yes or no?

Why Does Congress Let Law Enforcement Officials Lie?

Prep work

During the hearing, one of the representatives commented that it was kind of refreshing to ask questions that he didn't already know the answers to.

On the surface, that does sound kinda refreshing. It sounds like maybe a good thing.

Looking deeper, though, that perhaps indicates insufficient preparation for the hearing by the committee staff, the individual representatives' staff, and the representatives themselves.

Sometimes I wonder whether it's a good idea to have so many lawyers in Congress. Montesquieu's theory of democracy would hold that the attorneys' profession should only be as numerous in a representative parliament as in proportion to their numerousity in society-at-large. But Montesquieu, of course, was a Frenchman, and in the Anglo-American tradition, the profession of a lawyer is one of representation.

The reason lawyers so often in hearings ask witnesses questions where they already know the answer is 'cause the lawyers have done their homework ahead of time. They've started the process out with research, and interogatories, and depositions. By the time you get to the hearing, using up an audience's valuable time, you're supposed to already the answers to the questions you ask.

"This has been and will always be our fault."

Careful there. This was a problem before I was born and I'm middle-aged.

And you cannot direct the public at large to behave a different way. They're going to be the same bigoted, lazy, tech-sophomoric sheeple that composes the population of every other nation.

We have to make that work for the people despite themselves.

Twelve score years ago, our constitutional framers put together the best set of rules they could think of at the time, but they presumed that people would keep educated as to their best interests and vote accordingly.

They do neither, and now the system is full of corrupted officials who've hacked their way into a lock in.

This is a bad sign...

All of this, and all that's been going on around the "Going Dark" law enforcement (and some congress members) fear mongering only highlights one major fact, now undressed and out in the clear:

NSA et al. had the entire planet's crypto defenses already defeated and in the bag.

Now that everyone and their mother is putting some counter measures in place, all of a sudden they go apeshit.

Now the Crypto Apocalypse is upon us, now they go the routes the always have gone:

Outlaw its use everywhere, lobby non-contained by US law players to do like-wise, demonize everyone who uses it nonetheless, and keep fear mongering (think of kidnapped children!). Rinse and repeat ad infinitum.

THIS IS NOT JUST BECAUSE THE ENCRYPTION DEBATE WENT MAINSTREAM THANKS TO SNOWDEN. THEIR FIGHT AGAINST THE WIDE SPREAD ADOPTION AND USE OF ENCRYPTION HAS 1% TO DO WITH THAT, AND 99% TO DO WITH THE FACT THAT THEY HAD THIS IN THE BAG, FULLY COMPROMISED. THAT'S WHAT ALL OF THIS REALLY SHOWS. At least for anyone that's been paying attention before, during and after Snowden.

Of course, were it not for him and what he did, none of this would be known with proof and facts, and no one could do a thing about it. But now we know, and we can do something about it. And we are. And we only will be doing more and more to fight back against government intrusion and reclaim our inalienable human right to Privacy.

Why are these people testifying before Congress when they don't appear to know what they're talking about?

The answer is really pretty simple, because most of Congress is completely clueless to the issues(even more so than the person(s) testifying) and if they do happen to have some understanding most don't have the balls to actually call them out on the bullshit being presented to them. Also no one ever really gets in trouble for lying cough Clapper cough so the people testifying know they can get away with spewing complete bullshit and not get in trouble for it.

I tried... I really tried...

... [t]o watch this pretty messed up piece of history. It comes in at 00:46:34 with an eloquent introduction, and then a rally of information and common, unconscious knowledge - unconscious in that anyone who is even tenuously informed, up-to-date, and has a pulse, already knows all this shit about encryption, and the "vital role" it plays in all our lives. Then it starts to go south from there.

I was able to watch another twenty-five or so more minutes of it before I realized that it was time I was never going to get back. They're a pack / bunch / conflation etc. pack of lying dogs / taints / gooches / scrots / tards. I just couldn't watch anymore. That saying comes off as kinda true...